Cisco AnyConnect VPN Client Administrator Guide, Release 2.2
Chapter 4, Configuring and Using AnyConnect Client Operating Modes and User Profiles
Downloads: This chapterpdf (PDF - 0.98MB) The complete bookPDF (PDF - 4.6MB) | Feedback

Configuring and Using AnyConnect Client Operating Modes and User Profiles

Table Of Contents

Configuring and Using AnyConnect Client Operating Modes and User Profiles

AnyConnect Client Operating Modes

Using the AnyConnect CLI Commands to Connect (Standalone Mode)

Connecting Using WebLaunch

User Log In and Log Out

Logging In

Logging Out

Configuring and Using User Profiles

Enabling AnyConnect Client Profile Downloads

Configuring Profile Attributes

Enabling Start Before Logon (SBL) for the AnyConnect Client

Installing Start Before Logon Components (Windows Only)

Differences Between Windows-Vista and Pre-Vista Start Before Logon

XML Settings for Enabling SBL

CLI Settings for Enabling SBL

Scenario: Using Start Before Logon

Using the Manifest File

Troubleshooting SBL

Configuring Start Before Logon (PLAP) on Windows Vista Systems

Differences Between Windows-Vista and Pre-Vista Start Before Logon

Installing PLAP

Logging on to a Windows Vista PC using PLAP

Disconnecting from the AnyConnect Client Using PLAP

Configuring the ServerList Attribute

Configuring the Certificate Match Attribute

Certificate Key Usage Matching

Extended Certificate Key Usage Matching

Certificate Distinguished Name Mapping

Certificate Matching Example


Configuring and Using AnyConnect Client Operating Modes and User Profiles


AnyConnect Client Operating Modes

The user can use the AnyConnect Client in the following modes:

Standalone mode—Lets the user establish a Cisco AnyConnect VPN client connection without the need to use a web browser. If you have permanently installed the AnyConnect client on the user's PC, the user can run in standalone mode. In standalone mode, a user opens the AnyConnect client just like any other application and enters the username and password credentials into the fields of the AnyConnect GUI. Depending on ho w you configure the system, the user might also be required to select a group. When the connection is established, the security appliance checks the version of the client on the user's PC and, if necessary, downloads the latest version.

WebLaunch mode—Lets the user enter the URL of the security appliance in the Address or Location field of a browser using the https protocol. The user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue.

The portal window appears. To start the AnyConnect client, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities.

Using the AnyConnect CLI Commands to Connect (Standalone Mode)

The Cisco AnyConnect VPN Client provides a command line interface (CLI) for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.

For Windows

To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.

For Linux and Mac OS X

To launch the CLI command prompt and issue commands on a Linux or Mac OS X system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.

You can run the CLI in interactive mode, in which it provides its own prompt, or you can run it with the commands on the command line. Table 1-1 shows the CLI commands.

Table 1-1 AnyConnect Client CLI Commands

Command
Action

connect IP address or alias

Client establishes a connection to a specific security appliance.

disconnect

Client closes a previously established connection.

stats

Displays statistics about an established connection.

quit

Exits the CLI interactive mode.

exit

Exits the CLI interactive mode.


The following examples show the user establishing and terminating a connection from the command line:

Windows

connect 209.165.200.224

Establishes a connection to a security appliance with the address 209.165. 200.224. After contacting the requested host, the AnyConnect client displays the group to which the user belongs and asks for the user's username and password. If you have specified that an optional banner be displayed, the user must respond to the banner. The default response is n, which terminates the connection attempt. For example:

VPN> connect 209.165.200.224
	>>contacting host (209.165.200.224) for login information...
	>>Please enter your username and password.
Group: testgroup
Username: testuser
Password: ********
	>>notice: Please respond to banner.
VPN> 
STOP! Please read. Scheduled system maintenance will occur tonight from 1:00-2:00 AM for 
one hour. The system will not be available during that time.
 
   
accept? [y/n] y
	>> notice: Authentication succeeded. Checking for updates...
	>> state: Connecting
	>> notice: Establishing connection to 209.165.200.224.
	>> State: Connected
	>> notice: VPN session established.
VPN>
 
   
stats

Displays statistics for the current connection; for example:

VPN> stats
[ Tunnel Information ]
 
   
	Time Connected:	01:17:33
	Client Address:	192.168.23.45
	Server Address:	209.165.200.224
 
   
[ Tunnel Details ]
 
   
	Tunneling Mode:	All Traffic
	Protocol: DTLS
	Protocol Cipher: RSA_AES_256_SHA1
	Protocol Compression: None
 
   
[ Data Transfer ]
 
   
	Bytes(sent/received): 1950410/23861719
	Packets (sent/received): 18346/28851
	Bypassed (outbound/inbound): 0/0
	Discarded (outbound/inbound): 0/0
 
   
[ Secure Routes ]
 
   
	Network			Subnet
	0.0.0.0			0.0.0.0
VPN>
 
   
disconnect

Closes a previously established connection; for example:

VPN> disconnect
	>> state: Disconnecting
	>> state: Disconnected
	>> notice: VPN session ended.
VPN>

quit or exit

Either command exits the CLI interactive mode; for example:

quit
goodbye
	>>state: Disconnected
 
   

Linux or Mac OS X

/opt/cisco/vpn/bin/vpn connect 1.2.3.4 

Establishes a connection to a security appliance with the address 1.2.3.4.

/opt/cisco/vpn/bin/vpn connect some_asa_alias

Establishes a connection to a security appliance by reading the profile and looking up the alias some_asa_alias in order to find its address.

/opt/cisco/vpn/bin/vpn stats

Displays statistics about the vpn connection.

/opt/cisco/vpn/bin/vpn disconnect     

Disconnect the vpn session if it exists.

Connecting Using WebLaunch

The Cisco AnyConnect VPN Client provides a browser interface for users who prefer to a graphical user interface. WebLaunch mode lets the user enter the URL of the security appliance in the Address or Location field of a browser using the https protocol. For example:

https://209.165.200.225
 
   

The user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue.

The portal window appears. To start the AnyConnect client, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities.


Note For Windows Vista users who use the Internet Explorer browser, you must add the security appliance to the list of trusted sites, as described in Adding a Security Appliance to the List of Trusted Sites (IE).


User Log In and Log Out

You might find it useful to provide the following instructions to your remote users.

Logging In

Your system administrator has assigned you a remote access username and password. Before you log in, you must get this information from your system administrator.


Step 1 Enter your remote access username in the Username field.

Step 2 Enter your remote access password in the Password field.

Step 3 Click Login.

Step 4 If you receive a certificate warning, install the certificate.

Your remote access home page appears.


Logging Out

To end your remote access session, click the "Close Window" (X) icon in the toolbar or click the Logout link. The Logout page appears, confirming that your session has been terminated and offering you the opportunity to log in again.

Quitting the browser also logs out the session.


Caution Security note: Always log out when you finish your session. Logging out is especially important when you are using a public computer such as in a library or Internet cafe. If you do not log out, someone who uses the computer next could access your files. Don't risk the security of your organization! Always log out.

Configuring and Using User Profiles

An AnyConnect client user profile is an XML file that lets you identify the secure gateway (security appliance) hosts that you want to expose to the user community. In addition, the profile conveys additional connection attributes and constraints on a user.

Usually, a user has a single profile file. This profile contains all the hosts needed by a user, and additional settings as needed. In some cases, you might want to provide more than one profile for a given user. For example, someone who works from multiple locations might need more than one profile. In such cases, the user selects the appropriate profile from a drop-down list. Be aware, however, that some of the profile settings, such as Start Before Login, control the connection experience at a global level. Other settings, such as those unique to a particular host, depend on the host selected.

Enabling AnyConnect Client Profile Downloads

An AnyConnect client profile is a group of configuration parameters, stored in an XML file, that the client uses to configure the connection entries that appear in the client user interface. The client parameters (XML tags) include the names and addresses of host computers and settings to enable additional client features.

You can create and save XML profile files using a text editor. The client installation contains one profile template (AnyConnectProfile.tmpl) that you can edit and use as a basis to create other profile files.

The profile file is downloaded from the security appliance to the remote users's PC, so you must first import the profile(s) into the security appliance in preparation for downloading to the remote PC. You can import a profile using either ASDM or the command-line interface. See "Sample AnyConnect Profile and XML Schema" for a sample AnyConnect profile.

When the AnyConnect client starts, it reads the preferences.xml file in the following directory:

C:\Documents and Settings\<your_username>\Application Data\Cisco\Cisco AnyConnect VPN Client.

The preferences.xml file contains the username and the security appliance IP address/hostname from the last successful connection. The client then establishes an initial connection to the security appliance to get the list of tunnel groups to display in the GUI. during this initial connection, if the security appliance is no longer accessible or if the hostname cannot be resolved, the user sees the message, "Connection attempt has failed" or "Connection attempt has failed due to unresolvable host entry."

You can place a copy of your profile (for example, CiscoAnyConnectProfile.xml) in the directory: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile The location for Windows Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile The host that appears in the Connect to combo box is the first one listed in the profile or the last host you successfully connected with.


Caution Do not cut and paste the examples from this document. Doing so introduces line breaks that can break your XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad.

Use the template that appears after installing AnyConnect on a workstation:
\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl

Follow these steps to edit profiles and use ASDM to enable the security appliance to download them to remote clients:


Step 1 Retrieve a copy of the profiles file (AnyConnectProfile.xml) from a client installation. Table 1-2 shows the installation path for each operating system.

Table 1-2 Operating System and Profile File Installation Path

Operating System
Installation Path

Windows

%PROGRAMFILES%\Cisco\Cisco AnyConnect VPN Client\1

Linux

/opt/cisco/vpn/profile

Mac OS X

/opt/cisco/vpn/profile

1 %PROGRAMFILES% refers to the environmental variable by the same name. In most Windows installation, this is C:\Program Files.


Step 2 Edit the profiles file. The example below shows the contents of the profiles file (AnyConnectProfile.xml) for Windows:

<?xml version="1.0" encoding="UTF-8"?>
<!--
    This is a template file that can be configured to support the
    identification of secure hosts in your network.
 
   
    The file needs to be renamed to CiscoAnyConnectProfile.xml.
 
   
    The svc profiles command imports updated profiles for downloading to
    client machines.
-->
<Configuration>
    <ClientInitialization>
        <UseStartBeforeLogon>false</UseStartBeforeLogon>
    </ClientInitialization>
    <HostProfile>
        <HostName></HostName>
        <HostAddress></HostAddress>
    </HostProfile>
    <HostProfile>
        <HostName></HostName>
        <HostAddress></HostAddress>
    </HostProfile>
</Configuration>
 
   

The <HostProfile> tags are frequently edited so that the AnyConnect client displays the names and addresses of host computers for remote users. The following example shows the <HostName> and <HostAddress> tags, with the name and address of a host computer inserted:

 
   
    <HostProfile>
        <HostName>Sales_gateway</HostName>
        <HostAddress>209.165.200.225</HostAddress>
    </HostProfile>
 
   

Step 3 To identify to the security appliance the client profiles file to load into cache memory, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > Client Settings (Figure 1-1).

Figure 1-1 Adding or Editing an AnyConnect VPN Client Profile

In the SSL VPN Client Profiles area, click Add or Edit. the Add or Edit SSL VPN Client Profiles dialog box appears (Figure 1-2).

Figure 1-2 Add (or Edit) SSL VPN Client Profiles Dialog Box

Enter the profile name and profile package names in their respective fields. To browse for a profile package name, click Browse Flash. The Browse Flash dialog box appears (Figure 1-3).

Figure 1-3 Browse Flash Dialog Box

Select a file from the table. The file name appears in the File Name field below the table. Click OK. The file name you selected appears in the Profile Package field of the Add or Edit SSL VPN Client Profiles dialog box.

Step 4 Click OK in the Add or Edit SSL VPN Client dialog box. This makes profiles available to group policies and username attributes of client users.

Step 5 To configure a profile for a group policy, select Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select an existing group policy and click Edit or click Add to configure a new group policy. In the navigation pane, select Advanced > SSL VPN Client. The Add or Edit Internal Group Policy dialog box appears (Figure 1-4).

Figure 1-4 Add or Edit Internal Group Policy Dialog Box

Continue with Step 7.

Step 6 To configure a profile for a user, select Configuration > Device Management > Users/AAA > User Accounts. Select an existing username and click Edit or click Add to configure a new username. In the navigation pane, select VPN Policy > SSL VPN Client. To modify an existing user's profile, select that user from the table and click Edit. To Add a new user, click Add. The Add or Edit User Account dialog box appears (Figure 1-5).

Figure 1-5 Add or Edit User Account Dialog Box (Username)

Step 7 Deselect Inherit and select a Client Profile to Download from the drop-down list or click New to specify a new client profile. If you click New, the Add SSL VPN Client Profile dialog box (Figure 1-2) appears; follow the procedures that pertain to that figure.

Step 8 When you have finished with the configuration, click OK.


Configuring Profile Attributes

You configure profile attributes by modifying the XML profile template and saving it with a unique name. You can then distribute the profile XML file to end users at any time. The distribution mechanisms are bundled with the software distribution.


Note It is important to validate the XML profile you create. Use an online validation tool or the profile import feature in ASDM. For validation, you can use the AnyConnectProfile.xsd found in the same directory as the profile template. See "Sample AnyConnect Profile and XML Schema" for a hard copy of these files.

For Windows Vista, Windows XP, and Windows 2000 systems with MSXML 6.0, the AnyConnect client validates the XML profile against the profile XSD schema and logs any validation failures. MSXML 6.0 ships with Windows Vista and is available for download from Microsoft for Windows XP and Windows 2000 from the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang=en
(CSCsj58515).


The following sections describe how to modify the profiles template to configure the profile attributes:

Enabling Start Before Logon (SBL) for the AnyConnect Client.

Configuring Start Before Logon (PLAP) on Windows Vista Systems

Enabling Start Before Logon (SBL) for the AnyConnect Client

With Start Before Logon enabled, the user sees the AnyConnect GUI logon dialog before the Windows logon dialog box appears. This establishes the VPN connection first. Available only for Windows platforms, Start Before Logon lets the administrator control the use of login scripts, password caching, mapping network drives to local drives, and more. You can use the SBL feature to activate the VPN as part of the logon sequence. SBL is disabled by default.


Note Within the AnyConnect client, the only configuration you do for SBL is enabling the feature. Network administrators handle the processing that goes on before logon based upon the requirements of their situation. Logon scripts can be assigned to a domain or to individual users. Generally, the administrators of the domain have batch files or the like defined with users or groups in Active Directory. As soon as the user logs on, the login script is executed.


The point of SBL is that it connects a remote computer to the company infrastructure prior to logging on to the PC. For example, a user might be outside the physical corporate network, unable to access corporate resources until his or her PC has joined the corporate network.

With SBL enabled, the AnyConnect client connects before the user sees the Microsoft login window. The user must also log in, as usual, to Windows when the Microsoft login window appears.

The reasons that a user might want to use SBL include the following:

The user's PC itself is joined to an Active Directory infrastructure.

The user cannot have cached credentials on the PC; that is, if the group policy disallows cached credentials.

The user must run login scripts that execute from a network resource or that need access to a network resource.

A user has network-mapped drives that require authentication with the Active Directory infrastructure.

Networking components (such as MS NAP/CS NAC) exist that might require connection to the infrastructure.

SBL creates a network that is equivalent to being on the local corporate LAN. For example, with SBL enabled, since the user has access to the local infrastructure, the logon scripts that would normally run when a user is in the office would also be available to the remote user.

For information about creating logon scripts, see the following Microsoft TechNet article:

http://technet2.microsoft.com/windowsserver/en/library/8a268d3a-2aa0-4469-8cd2-8f28d6a630801033.mspx?mfr=true

For information about using local logon scripts in Windows XP, see the following Microsoft article:

http://www.windowsnetworking.com/articles_tutorials/wxpplogs.html

In another example, a system might be configured not allow cached credentials to be used to log on to the PC. In this scenario, a users must be able to communicate with a domain controller on the corporate network for their credentials to be validated prior to gaining access to the PC.

SBL requires a network connection to be present at the time it is invoked. In some cases, this might not be possible, because a wireless connection might depend on credentials of the user to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a login, a connection would not be available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across login, or another wireless authentication needs to be configured, for SBL to work.

Installing Start Before Logon Components (Windows Only)

The Start Before Logon components must be installed after the core client has been installed. Additionally, the AnyConnect 2.2 Start Before Logon components require that version 2.2, or later, of the core AnyConnect client software be installed. If you are pre-deploying the AnyConnect client and the Start Before Logon components using the MSI files (for example, you are at a big company that has its own software deployment—Altiris or Active Directory or SMS.) then you must get the order right. The order of the installation is handled automatically when the administrator loads AnyConnect if it is web deployed and/or web updated. For complete installation information, see Release Notes for Cisco AnyConnect VPN Client, Release 2.2.

Differences Between Windows-Vista and Pre-Vista Start Before Logon

The procedures for enabling SBL differ slightly on Windows Vista systems. Pre-Vista systems use a component called VPNGINA (which stands for virtual private network graphical identification and authentication) to implement SBL. Vista systems use a component called PLAP to implement SBL.

In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides start Before Logon functions on Windows Vista and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.


Note In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista systems.


In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.

A GINA is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or to activate any Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.

The sections that immediately follow describe the settings and procedures for both VPNGINA and PLAP SBL. For a complete description of enabling and using the SBL feature (PLAP) on a Windows Vista platform, see Configuring Start Before Logon (PLAP) on Windows Vista Systems.

XML Settings for Enabling SBL

The element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). If the you set this value to true in the profile, additional processing occurs as part of the logon sequence. See the Start Before Logon description for additional details.

You enable SBL by setting the <UseStartBefore Logon> value in the CiscoAnyConnect.xml file to true:

<?xml version="1.0" encoding="UTF-8" ?> 
<Configuration> 
<ClientInitialization> 
<UseStartBeforeLogon>true</UseStartBeforeLogon> 
</ClientInitialization> 
 
   

To disable SBL, set the same value to false.

To enable the UserControllable feature, use the following statement when enabling SBL:

<UseStartBeforeLogon userControllable="false">true</UseStartBeforeLogon> 
 
   

Any user setting associated with this attribute is stored elsewhere.

CLI Settings for Enabling SBL

To minimize download time, the AnyConnect client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. To enable new features, such as Start Before Logon (SBL), you must specify the module name using the svc modules command from group policy webvpn or username webvpn configuration mode:

[no] svc modules {none | value string}

The string value for SBL is vpngina.

In the following example, the network administrator enters group-policy attributes mode for the group policy telecommuters, enters webvpn configuration mode for the group policy, and specifies the string vpngina to enable SBL:

hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina
 
   

In addition, the administrator must ensure that the AnyConnect <profile.xml> file (where <profile.xml> is the name that the network administrator has assigned to the XML file) has the <UseStartBeforeLogon> statement set to true. For example:

<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
 
   

The system must be rebooted before Start Before Logon takes effect.

You must also specify on the security appliance that you want to allow SBL (or any other modules for additional features). See the description in the section Enabling Modules for Additional AnyConnect Features (ASDM) or Enabling Modules for Additional AnyConnect Features (CLI) for a description of how to do this.

Scenario: Using Start Before Logon

The following scenario walks you through the process of setting up the XML file and troubleshooting SBL:


Step 1 Create a profile to be pushed down to the Client PCs that looks similar to the following:

<?xml version="1.0" encoding="UTF-8" ?> 
 
   
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi :schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 
   
<ClientInitialization> 
<UseStartBeforeLogon>true</UseStartBeforeLogon> 
</ClientInitialization> 
 
   
<ServerList>
<HostEntry>
<HostName>text.cisco.com</HostName>
</HostEntry>
<HostEntry>
<HostName>test1.cisco.com</HostName>
<HostAddress>1.1.1.1</HostAddress>
</HostEntry>
.
.
.
<HostEntry>
<HostName>test2.cisco.com</HostName>
<HostAddress>1.1.1.2</HostAddress>
</HostEntry>
</ServerList>
 
   
</AnyConnectProfile>
 
   

Step 2 Copy the file to the FLASH on the security appliance:

Copy tftp://x.x.x.x/AnyConnectProfile.xml AnyConnectProfile.xml 
 
   

Step 3 On the security appliance, add the profile as an available profile to the webvpn global section - (assuming everything else is set up correctly for AnyConnect connections):

hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc profiles ReallyNewProfile disk0:/AnyConnectProfile.xml
 
   

Step 4 Edit the group policy you are using and add the 'svc modules' and 'svc profile' commands:

hostname(config)# group-policy GroupPolicy internal
hostname(config)# group-policy GroupPolicy attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina
hostame(config-group-webvpn)# svc profiles value ReallyNewProfile
 
   

Using the Manifest File

The AnyConnect package that is uploaded on the security appliance contains a file called VPNManifest.xml. The following example shows some sample content of this file:

<?xml version="1.0" encoding="UTF-7"?> <vpn rev="1.0"> 
 
   
<file version="2.1.0150" id="VPNCore" is_core="yes" type="exe" action="install">
   <uri>binaries/anyconnect-win-2.1.0150-web-deploy-k9.exe</uri>
 </file>
 
   
 <file version="2.1.0150" id="gina" is_core="yes" type="exe" action="install" 
module="vpngina">
   <uri>binaries/anyconnect-gina-win-2.1.0150-web-deploy-k9.exe</uri>
 </file>
</vpn> 
 
   

The security appliance has stored on it configured profiles, as explained in Step 1 above, and it also stores one or multiple AnyConnect packages that contain the AnyConnect client itself, downloader utility, manifest file, and any other optional modules or supporting files.

When a remote user connects to the security appliance using WebLaunch or an existing standalone client, the downloader is downloaded first and run, and it uses the manifest file to ascertain whether there is a existing client on the remote user's PC that needs to be upgraded, or whether a fresh installation is required. The manifest file also contains information about whether there are any optional modules that must be downloaded and installed—in this case, the VPNGINA. The client profile also is pushed down from the security appliance. The installation of VPNGINA is activated by the command svc modules value vpngina configured under group-policy (webvpn) command mode as explained in Step 4. The AnyConnect client and VPNGINA are installed, and the user sees the AnyConnect Client at the next reboot, prior to Windows Domain logon.

When the users connects, the client and profile are passed down to the user's PC; the client and VPNGINA are installed; and the user sees the AnyConnect client at the next reboot, prior to logging in.

A sample profile is provided on the client PC when AnyConnect is installed:

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco\AnyConnect VPN Client\Profile\AnyConnectProfile

Troubleshooting SBL

Use the following procedure if you encounter a problem with SBL:


Step 1 Ensure that the profile is being pushed.

Step 2 Delete prior profiles (search for them on the hard drive to find the location, *.xml).

Step 3 When you go to Add/Remove Programs, do you have both an AnyConnect installation and an AnyConnect VPNGina installation?

Step 4 Uninstall the AnyConnect client.

Step 5 Clear the user's AnyConnect log in the Event Viewer and retest.

Step 6 Web browse back to the security appliance to install the client again.

Step 7 Make sure the profile also appeared.

Step 8 Reboot once. On the next reboot, you should be prompted with the Start Before Logon prompt.

Step 9 Send the AnyConnect event log to Cisco in .evt format

Step 10 If you see the following error:

Description: Unable to parse the profile C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\VABaseProfile.xml. Host data not available.

Delete the user profile and use the default profile.


Configuring Start Before Logon (PLAP) on Windows Vista Systems

As on the other Windows platforms, the Start Before Logon feature enables the establishment of a VPN tunnel prior to the user's login on to the Windows system, so that users can connect to their corporate infrastructure before logging on to their PCs. Windows Vista (with Windows Server 2008), Microsoft's next-generation operating system, uses different mechanisms from Windows XP and Windows 2000 (with Windows 2003 server), so the AnyConnect client Start Before Logon feature on the Windows Vista platform uses a different mechanism well.

In the AnyConnect client, the new Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides start Before Logon functions on Windows Vista and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.


Note In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista systems.


Differences Between Windows-Vista and Pre-Vista Start Before Logon

In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.

In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides start Before Logon functions on Windows Vista and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.


Note In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista systems.


On pre-Vista systems, the GINA component is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or to activate any Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.

Installing PLAP

The vpnplap.dll and vpnplap64.dll components are part of the existing GINA installation package, so the network administrator can load a single, add-on Start Before Logon package on the security appliance, which then installs the appropriate component for the target platform. PLAP is an optional feature. The installer software detects the underlying operating system and places the appropriate DLL in the system directory. For systems prior to Windows Vista, the installer installs the vpngina.dll component on 32-bit versions of the operating system. On Windows Vista or the Windows 2008 server, the installer determines whether the 32-bit or 64-bit version of the operating system is in use and installs the appropriate PLAP component.


Note If you uninstall the AnyConnect client while leaving the VPNGINA or PLAP component installed, the VPNGINA or PLAP component is disabled and not visible to the user.


Once installed, PLAP is not active until the network administrator modifies the user profile <profile.xml> file to activate start before logon. See XML Settings for Enabling SBL. After activation, the user invokes the Network Connect component by clicking Switch User, then the Network Connect icon in the lower, right-hand part of the screen.


Note If the user mistakenly minimizes the user interface, he or she can restore it by pressing the Alt+Tab key combination.


Logging on to a Windows Vista PC using PLAP

To log on to Windows Vista when PLAP is enabled, do the following steps. (These steps are Microsoft requirements):


Step 1 At the Windows Vista start window, press the Ctrl+Alt+Delete key combination (Figure 1-6).

Figure 1-6 Vista Login Window Showing the Network Connect Button

This displays the Vista logon window with a Switch User button (Figure 1-7).

Figure 1-7 Vista Logon Window with Switch User Button

Step 2 Click Switch User (circled in red in this figure). This displays a Vista Network Connect window (Figure 1-8) with the network login icon in the lower-right corner. The network login icon is circled in red in Figure 1-8.


Note If the user is already connected through an AnyConnect tunnel and clicks Switch User, the first tunnel is not disconnected. If the user clicks Network Connect, then the first tunnel is disconnected. If the user clicks Cancel, the tunnel disconnects.


Figure 1-8 Vista Network Connect Window

Step 3 Click the Network Connect button in the lower-right corner of the window to launch the AnyConnect client. This displays the AnyConnect client logon window (Figure 1-9).

Figure 1-9 AnyConnect Client Logon Window

Step 4 Use this AnyConnect GUI to log in to the AnyConnect client as usual.


Note This example assumes that AnyConnect is the only installed connection provider. If there are multiple providers installed, you must select the one you want to use from the items displayed on this window.


Step 5 When you have successfully connected, you see a screen similar to the Vista Network Connect window, except that it has the Microsoft Disconnect button in the lower-right corner (Figure 1-10). This is the only indication that the connection is successful.

Figure 1-10 Disconnect Window

Click the icon associated with your login; in this example, click VistaAdmin to complete your logging on to the machine.


Caution Once the connection is established, you have an unlimited time in which to log on. If you forget to log on after connecting, the tunnel will be up indefinitely.


Disconnecting from the AnyConnect Client Using PLAP

After successfully connecting the tunnel, the PLAP component returns to the original window, this time with a Disconnect button displayed in the lower-right corner of the window (circled in Figure 1-10).

When you click Disconnect, the VPN tunnel disconnects.

In addition to explicitly disconnecting in response to the Disconnect button, the tunnel also disconnects in the following situations:

When a user logs on to a PC using PLAP but then presses Cancel.

When the PC is shut down before the user logs on to the system.

This behavior is a function of the Windows Vista PLAP architecture, not the AnyConnect client.

Configuring the ServerList Attribute

One of the main uses of the profile is to provide a means of supplying a user of the client with a list of hosts to which they can connect. The user then selects the appropriate server. This server list consists of host name and host address pairs. The host name can be an alias used to refer to the host, an FQDN, or an IP address. If an FQDN or IP address is used, a HostAddress element is not required. In establishing a connection, the host address is used as the connection address unless it is not supplied. This allows the host name to be an alias or other name that need not be directly tied to a network addressable host. If no host address is supplied, the connection attempt tries to connect to the host name.

As part of the definition of the server list, a default server can be specified. This default server is identified as such the first time a user attempts a connection using the client. If a user connects with a server other than the default then for this user, the new default is the selected server. The user selection does not alter the contents of the profile. Instead, the user selection is entered into the user preferences.

<?xml version="1.0" encoding="UTF-8" ?> 
<Configuration> 
<ServerList> 
	<HostEntry>
		<HostName>MarketingASA01</HostName>
		<HostAddress>209.165.200.224,/HostAddress>
	</HostEntry>
<HostEntry>
		<HostName>EngineeringASA01</HostName>
		<HostAddress>209.165.200.225,/HostAddress>
	</HostEntry>
</ServerList> 
 
   

Configuring the Certificate Match Attribute

The AnyConnect client supports the following certificate match types. Some or all of these may be used for client certificate matching. Certificate matching are global criteria that can be set in an AnyConnect profile. The criteria are:

Key Usage

Extended Key Usage

Distinguished Name

Certificate Key Usage Matching

Certificate key usage offers a set of constraints on the broad types of operations that can be performed with a given certificate. The supported set includes:

DIGITAL_SIGNATURE

NON_REPUDIATION

KEY_ENCIPHERMENT

DATA_ENCIPHERMENT

KEY_AGREEMENT

KEY_CERT_SIGN

CRL_SIGN

ENCIPHER_ONLY

DECIPHER_ONLY

The profile can contain none or more matching criteria. If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate.

The example in Certificate Matching Example shows how you might configure these attributes.

Extended Certificate Key Usage Matching

This matching allows an administrator to limit the certificates that can be used by the client, based on the Extended Key Usage fields. Table 1-3 lists the well known set of constraints with their corresponding object identifiers (OIDs).

Table 1-3 Extended Certificate Key Usage

Constraint
OID

serverAuth

1.3.6.1.5.5.7.3.1

clientAuth

1.3.6.1.5.5.7.3.2

codeSign

1.3.6.1.5.5.7.3.3

emailProtect

1.3.6.1.5.5.7.3.4

ipsecEndSystem

1.3.6.1.5.5.7.3.5

ipsecTunnel

1.3.6.1.5.5.7.3.6

ipsecUser

1.3.6.1.5.5.7.3.7

timeStamp

1.3.6.1.5.5.7.3.8

OCSPSign

1.3.6.1.5.5.7.3.9

dvcs

1.3.6.1.5.5.7.3.10


As an administrator, you can add your own OIDs if the OID you want is not in the well known set. The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. See profile example in "Sample AnyConnect Profile and XML Schema" for an example.

Certificate Distinguished Name Mapping

The certificate distinguished name mapping capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. Table 1-4 lists the supported criteria:

Table 1-4 Criteria for Certificate Distinguished Name Mapping

Identifier
Description

CN

SubjectCommonName

SN

SubjectSurName

GN

SubjectGivenName

N

SubjectUnstructName

I

SubjectInitials

GENQ

SubjectGenQualifier

DNQ

SubjectDnQualifier

C

SubjectCountry

L

SubjectCity

SP

SubjectState

ST

SubjectState

O

SubjectCompany

OU

SubjectDept

T

SubjectTitle

EA

SubjectEmailAddr

ISSUER-CN

IssuerCommonName

ISSUER-SN

IssuerSurName

ISSUER-GN

IssuerGivenName

ISSUER-N

IssuerUnstructName

ISSUER-I

IssuerInitials

ISSUER-GENQ

IssuerGenQualifier

ISSUER-DNQ

IssuerDnQualifier

ISSUER-C

IssuerCountry

ISSUER-L

IssuerCity

ISSUER-SP

IssuerState

ISSUER-ST

IssuerState

ISSUER-O

IssuerCompany

ISSUER-OU

IssuerDept

ISSUER-T

IssuerTitle

ISSUER-EA

IssuerEmailAddr


The profile can contain none or more matching criteria. A certificate must match all specified criteria to be considered a matching certificate. Distinguished Name matching offers additional match criteria, including the ability for the administrator to specify that a certificate must or must not have the specified string, as well as whether wild carding for the string should be allowed. See "Sample AnyConnect Profile and XML Schema," for an example.

Certificate Matching Example

The following example shows how to enable the attributes that you can use to refine client certificate selection.

		<CertificateMatch>
            <!--
                Specifies Certificate Key attributes that can be used for choosing
                acceptable client certificates.
              -->
			<KeyUsage>
				<MatchKey>Non_Repudiation</MatchKey>
				<MatchKey>Digital_Signature</MatchKey>
			</KeyUsage>
            <!--
                Specifies Certificate Extended Key attributes that can be used for
                choosing acceptable client certificates.
              -->
			<ExtendedKeyUsage>
				<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
				<ExtendedMatchKey>ServerAuth</ExtendedMatchKey>
				<CustomExtendedMatchKey>1.3.6.1.5.5.7.3.11</CustomExtendedMatchKey>
			</ExtendedKeyUsage>
            <!--
                Certificate Distinguished Name matching allows for exact
                match criteria in the choosing of acceptable client
                certificates.
              -->
			<DistinguishedName>
				<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled">
					<Name>CN</Name>
					<Pattern>ASASecurity</Pattern>
				</DistinguishedNameDefinition>
				<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled">
					<Name>L</Name>
					<Pattern>Boulder</Pattern>
				</DistinguishedNameDefinition>
			</DistinguishedName>
		</CertificateMatch>